https://community.cisco.com/t5/network-security/asa-8-3-single-host-multiple-pat/m-p/1434992#M645454 <HTML><HEAD></HEAD><BODY><P>You need to create a new object for each static pat or it will overwrite. You can have the same host each object though.&nbsp; Just call the object with a diff. name.&nbsp; You need as many objects as there are going to be static PATs.</P><P></P><P><SPAN>You may find these links useful: </SPAN><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-9129">https://supportforums.cisco.com/docs/DOC-9129</A></P><P></P><P><SPAN>8.3 nat video: </SPAN><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-12324">https://supportforums.cisco.com/docs/DOC-12324</A></P><P></P><P>-KS</P></BODY></HTML> Fri, 06 Aug 2010 21:51:16 GMT Kureli Sankar 2010-08-06T21:51:16Z https://community.cisco.com/t5/network-security/asa-8-3-single-host-multiple-pat/m-p/1434989#M645443 <P>Hi All,</P><P></P><P>After battling with, and eventually learning from the ASA 8.3 NAT configuration, I have stumbled over another hurdle which is causing me some confusion.</P><P></P><P>I have PAT working quite well for one host. That is, OUTSIDE:2202 ---&gt; INSIDE_HOST:2202. See below for config.</P><P></P><P>I'm running ASA 8.3.(2) and ASDM 6.2.(3) on a ASA 5505</P><P></P><P>!</P><P>object network LXSERVER <BR /> host 10.2.2.2</P><P>!</P><P>access-list OUTSIDE_access_in extended permit tcp any host 10.2.2.2 eq 2202</P><P>!</P><P>object network LXSERVER</P><P> nat (DMZ,OUTSIDE) static interface service tcp ssh 2202</P><P></P><P>This is all working like a dream but when I tried to add another static NAT rule from the outside interface to the same host on a different port, the new rule overwrote the old one.</P><P></P><P>!</P><P>object network LXSERVER</P><P> nat (DMZ,OUTSIDE) static interface service tcp ftp 2121</P><P>!</P><P></P><P>So, my question is, how do I configure multiple static PATs for one internal host from the OUTSIDE inteface.</P><P><BR />Please note that I have only a single public IP address which is received via DHCP.</P> Mon, 11 Mar 2019 18:22:19 GMT https://community.cisco.com/t5/network-security/asa-8-3-single-host-multiple-pat/m-p/1434989#M645443 Conor Cunningham 2019-03-11T18:22:19Z https://community.cisco.com/t5/network-security/asa-8-3-single-host-multiple-pat/m-p/1434990#M645448 <HTML><HEAD></HEAD><BODY><P>Here is an example. I hope this is what you are trying to accomplish:</P><P></P><PRE style="font-family: monospace; font-size: 12px; white-space: pre-wrap; word-wrap: break-word;"> object service FTP_PASV_PORT_RANGE<BR />&nbsp;&nbsp; service tcp <B>source</B> range 65000 65004<BR /> <BR /> object network HOST_FTP_SERVER<BR />&nbsp; host 192.168.10.100<BR /> <BR /> nat (Inside,outside) source static HOST_FTP_SERVER interface service<BR />FTP_PASV_PORT_RANGE FTP_PASV_PORT_RANGE<BR /><BR /><BR />ciscoasa(config)# sh xlate<BR />1 in use, 6 most used<BR />TCP PAT from Inside:HOST_FTP_SERVER 65000-65004 to outside:10.10.10.1<BR />65000-65004 flags sr idle 47:51:27 timeout 0:00:00<BR /><BR />-KS</PRE></BODY></HTML> Fri, 06 Aug 2010 21:43:50 GMT https://community.cisco.com/t5/network-security/asa-8-3-single-host-multiple-pat/m-p/1434990#M645448 Kureli Sankar 2010-08-06T21:43:50Z https://community.cisco.com/t5/network-security/asa-8-3-single-host-multiple-pat/m-p/1434991#M645452 <HTML><HEAD></HEAD><BODY><P>Hi KS,</P><P></P><P>Thanks for the help, althouh it is not entirely what I am after, although I think it will work for what I am after temporarily.</P><P></P><P>What I was looking for was to use a discontiguous port range, i.e.</P><P></P><P>2202 --&gt; 22</P><P>2121 --&gt; 21</P><P>8080 --&gt; 80</P><P>4443 --&gt; 443</P><P></P><P>etc etc.</P><P></P><P>Cheers,</P><P><BR />Conor</P></BODY></HTML> Fri, 06 Aug 2010 21:48:36 GMT https://community.cisco.com/t5/network-security/asa-8-3-single-host-multiple-pat/m-p/1434991#M645452 Conor Cunningham 2010-08-06T21:48:36Z https://community.cisco.com/t5/network-security/asa-8-3-single-host-multiple-pat/m-p/1434992#M645454 <HTML><HEAD></HEAD><BODY><P>You need to create a new object for each static pat or it will overwrite. You can have the same host each object though.&nbsp; Just call the object with a diff. name.&nbsp; You need as many objects as there are going to be static PATs.</P><P></P><P><SPAN>You may find these links useful: </SPAN><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-9129">https://supportforums.cisco.com/docs/DOC-9129</A></P><P></P><P><SPAN>8.3 nat video: </SPAN><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-12324">https://supportforums.cisco.com/docs/DOC-12324</A></P><P></P><P>-KS</P></BODY></HTML> Fri, 06 Aug 2010 21:51:16 GMT https://community.cisco.com/t5/network-security/asa-8-3-single-host-multiple-pat/m-p/1434992#M645454 Kureli Sankar 2010-08-06T21:51:16Z https://community.cisco.com/t5/network-security/asa-8-3-single-host-multiple-pat/m-p/1434993#M645455 <HTML><HEAD></HEAD><BODY><P>Cheers for that KS, I had feared that was the solution.</P><P></P><P>Thanks for your help.</P><P></P><P>Cheers,</P><P></P><P>Conor</P></BODY></HTML> Fri, 06 Aug 2010 21:53:47 GMT https://community.cisco.com/t5/network-security/asa-8-3-single-host-multiple-pat/m-p/1434993#M645455 Conor Cunningham 2010-08-06T21:53:47Z